OWASP News

Featured Projects

OWASP WebScarab NG Project - Rogan has been very busy on the new version of WebScarab, which is not complete, but is already in a very usable state (I already prefer it to the current version). Rogan needs your help in testing this version and sending in your comments. Quote from OWASP WebScarab NG Project: WebScarab-NG is a complete rewrite of the old WebScarab application, with a special focus on making the application more user-friendly. To this end, WebScarab-NG makes use of the Spring Rich Client Platform to provide the user interface features. By using the Spring Rich Client Platform, WebScarab-NG automatically gains things like default buttons, keyboard shortcuts, support for internationalisation, etc.

Category:OWASP CAL9000 Project - This project is a great resource to (amongst other things) understand and exploit XSS. Quote: CAL9000 is a collection of web application security testing tools that complement the feature set of current web proxies and automated scanners. CAL9000 gives you the flexibility and functionality you need for more effective manual testing efforts. Works best when used with Firefox or Internet Explorer.

This filter protects against the recent XSS attacks on PDF files. By using a redirect and an encrypted token, this filter ensures that dangerous attacks are not passed into the Adobe reader plugin.

Featured Story: "Automated Scanner vs. The OWASP Top Ten"

Apart from some shameless marketing plus and its real intention with this paper, WhiteHat Security has published a good paper on the limitations of Web Application Security Scanners capabilities to detect the [OWASP_Top_Ten_Project OWASP Top 10] vulnerabilities (which btw, all vendors claim they do). I actually think that the examples are quite basic, but they are good enough for the argument presented.

Quote: "The OWASP Top Ten is a list of the most critical web application
security flaws – a list also often used as a minimum standard for web
application vulnerability assessment (VA) and compliance. There is
an ongoing industry dialog about the possibility of identifying the
OWASP Top Ten in a purely automated fashion (scanning). People
frequently ask what can and can’t be found using either white box or
black box scanners. This is important because a single missed
vulnerability, or more accurately exploited vulnerability, can cause
an organization significant financial harm. Proper expectations must
be set when it comes to the various vulnerability assessment solutions."

Note: I haven't seen any Web App Scannor vendor responses, so if you spot it let me know.

OWASP_AppSec_Conference_Sponsors - for you if you want to sponsor one of the next OWASP conferences. Quote from page: "OWASP is accepting sponsorships for the 2007 OWASP Conferences. Financial sponsorship for a conference will help defray the non-profit OWASP Foundation's expenses to prepare for and hold this conference."

This one is actual an mistake from PSC Group LLC , since there is currently no relationship with them an OWASP (note: I email them and they corrected this on their website) Fujitsu’s GlobalSTORE Software Completes Visa’s Payment ..., Business Wire (press release), CA - Jan 9, 2007 (there is a major typo in this article (OWASP related), see if you can spot it :) )